Posted on

4 Tips for Legal Online Consumer Data Collection

4 Tips for Legal Online Consumer Data Collection

People’s attitudes towards the collection of online data has been changing over the past few years. A 2017 survey suggests that 75 percent of individuals will sometimes or always read a privacy policy on a website.

According to 53 percent of people, it’s extremely important to know whether an app or a service is using their personal data. At the same time, several massive online data collection scandals have rocked the world in recent years.

Providing a quality online service or content will often be dependent on consumer data collection. To do so legally, however, you’ll have to learn how to collect data and what documents to feature on your website or online platform.

Determine What Types of Personal Data Collection You’ll Be Doing

To craft the right online data collection procedures, you will first need to determine what types of sensitive information you’re going to be having access to.

Most often, online service providers work with the following:

  • IP address
  • Internet domain
  • Type of browser or OS
  • Location of the website visitor
  • Demographic profiles
  • Number of pages visited, length of stay on the website

If you have online opt-in forms, chances are that you will be collecting additional sensitive information. When you know what you’re dealing with, you will get to determine which regulatory framework(s) you’ll have to adhere to.

Understand Personal Information Law and Compliance

Online data collection could be subjected to multiple regulatory frameworks due to the international nature of website visits. The EU GDPR is one of these frameworks. The US has more limited regulatory efforts as far as data privacy goes but a few statutes may apply to the work of different online companies.

If you’re based in the US, EU, and many other Western countries, you will have to comply with at least one type of data collection law. A privacy policy, terms and conditions and thorough explanations as to why you have to collect sensitive data are the absolute minimum.

Carry Out a Privacy Audit

A website that’s already functional will have to be audited to determine whether it meets all regulatory requirements. It’s best to have an experienced legal professional carrying out such an audit.

Some of the items that will be examined include your privacy policy, whether opt-on forms allow for explicit consent and whether people are given the chance to opt out effortlessly. Based on the audit information, you’ll get to determine how data collection is to be modified in the future to ensure compliance.

Minimize Personal Data Collection and Retention as Much as Possible

Online consumer data collection should occur for the provision of better products and services. It’s possible that you’re currently accessing sensitive information that isn’t adding anything to the experience of people visiting your website or using your app.

There are things you can do to minimize the collection of sensitive information online. Based on the audit you’ve carried out, it’s possible to identify certain positive changes in this field.

Very often, online businesses gather a lot of extra information that could potentially be used in the future. If you’re doing this right now, you’re only making your life and work more challenging. Data breaches and hack attacks do occur. The more information you have, the bigger the problem is going to be in the case of an information leak.

A final thing to do is to ensure the security of data collection efforts. To minimize the risk of hack attacks, invest in quality servers, encryption, and access control. While there are numerous additional things you could be doing, this is the absolute minimum when it comes to meeting laws and giving your customers access to a quality service.

 

Posted on

WordPress GDPR Compliance Guide

WordPress GDPR Compliance Guide

WordPress provides a simple and affordable opportunity for putting together a corporate website. With the new EU GDPR regulations in place, however, many WordPress website owners wonder whether they’re meeting the compliance criteria.

The primary aim of the GDPR is to protect the privacy and personal information of people interacting with businesses. Whether you’re just creating a WordPress website or you’re thinking about modifying your existing online presence, there are several key steps to undertake to ensure GDPR compliance.

Learn about the Ways in Which Your Website is Collecting Data

GDPR regulates the manner in which websites collect data from their visitors. To ensure compliance, try to pinpoint all of the ways in which your audience could be sharing personal information with you. Some of the possibilities include:

  • User registrations
  • Writing comments
  • Signing up for an email newsletter
  • Sending an inquiry via a contact form
  • Log in requirements for individual tools or plugins
  • The collection of analytical data about the website audience

Once you have this information, you can move on to ensuring the GDPR compliance of WordPress website hosting.

Choose the Right Plugins

Luckily, WordPress and WordPress plugin developers have taken it to heart to help website owners ensure compliance with the new privacy regulations.

An array of plugins and other tools can be used for this purpose. This means you’ll be free from having to hire a web developer to modify the data collection aspects of the website. WordPress has created a page featuring all of the currently available GDPR-related plugins. It will be up to you to decide which ones you’ll have to install and run.

Update Your WordPress Version

Updating the WordPress version regularly is important from a security perspective, hence it plays a role in your GDPR compliance efforts.

WordPress 4.9.6 has a number of the GDPR characteristics already built into the platform. If you’re creating a WordPress website right now, you will have the latest version installed and there will be nothing to worry about.

The update takes place from your WordPress dashboard and only a few minutes are needed to get it done with.

Update Your Privacy Policy

Now that you have handled the software side of things, it’s time to work on the documents that highlight the data policies and security measures your website visitors are entitled to.

A good privacy policy should provide information about:

  • Who you are and why you need to collect personal data (the only permissible option is for the provision of content and services on the website)
  • What’s the legal basis for personal data collection
  • How information is going to be shared with third parties (in the case, WordPress plugin developers), why and what your commitment to protecting the privacy of website visitors is
  • The timeframe for the storage of collected data
  • The rights of individuals to opt out from data collection efforts and the right to be forgotten
  • A specific clause for filing a personal data-related complaint

Needless to say, there could be certain specific clauses pertaining to the type of website you’re running and the content featured on it. You cannot rely on a generic privacy agreement, which is why consulting an experienced attorney in the field and having the privacy policy drafted professionally is going to make the most sense as far as GDPR compliance efforts go.

 

Posted on

An Introduction to the End User License Agreement (EULA)

End-User-Licensing-Agreement

An Introduction to the End User License Agreement (EULA)

If you have ever downloaded software in your life, you have come across the end user license agreement (EULA). This type of license comes with specific rights and limitations that have to be followed by anyone interested in testing out or using the respective product on a regular basis.

What does end user license agreement mean and how should you draft the perfect one? While the structure is typically pre-determined, it’s not the best of ideas to rely on a template or a generic EULA.

What is End User License Agreement?

End user license agreement is a license that enables a user to rely on a software product in a certain manner. It enforces use limitations and once accepted, it will allow the person to begin running the software.

A typical example of an EULA clause is to install and run the software on a single computer. Other clauses under such an agreement could include:

An inability to use the app or software for revenue generation
A ban on attempting to decrypt an encrypted product
A ban on attempting to derive the source code
Limitations on distributing the product in a network
The terms and conditions under which a termination of the license will occur
A disclaimer of liability

Usually, the EULA appears during the first step of installation, but it could also be featured within the terms and conditions.

How to Draft a Good EULA

While it is still questionable if an EULA is enforceable in court, various courts have upheld their legitimacy. The ProCD Inc. v. Zeidenberg case is just one example of such a legal development. While most people will not take the time to read the end user license agreement, it’s still your responsibility to draft a solid one and protect your product.

The structure of the EULA is typically comprehensive. It consists of:

Licensing of use terms and conditions
Restrictions
Conditions under which termination of use will occur
Limitation of liability clause
A warranty disclaimer
Copyright infringement information
Contact information

It’s in your best interest to feature all of these sections in your end user license agreement. The more comprehensive the document is, the better legal protection you’ll be entitled to against unsolicited or illegal software use.

Keep in mind that the EULA is a legal agreement between the company that has developed an app and the legal user. Because of this characteristic, it may be a good idea to have a legal professional reviewing your EULA. While many standard clauses can be featured in such a document, it would still be a good idea to include specific information that’s relevant to your product and its intended use.

Final Steps

The final step will be to highlight the international, national, and local laws that apply to the licensing agreement and the protective clauses in it. Obviously, you can Google the licensing laws. Alternatively, you should have that consultation with an attorney to make sure you’re familiar with all applicable regulations and the manner in which they can be utilized to protect your software/intellectual property.

A final thing to keep in mind is that you should keep your EULA simple, straightforward, and easy to understand. Avoid ambiguous language that could be interpreted in multiple ways. When the rules are stated plainly and directly, they will be easier to eventually uphold in court.

Posted on

How to Grow Your Email Marketing List and Still be GDPR-Compliant

Email Marketing Strategy

How to Grow Your Email Marketing List and Still be GDPR-Compliant

The implications of the EU GDPR are much more pervasive and widespread than businesses initially thought them to be. Database creation, information collection, archive maintenance, and multiple other activities are affected. Email marketing is one of these activities.

Maintaining an email list that is GDPR-compliant can be a challenge. If you don’t know how to handle the process, the following email marketing tips will shed some light on the essentials.

Email Opt-in Tactics Matter

At the end of 2017, Forrester predicted that 80 percent of companies will fail with their GDPR compliance efforts. While the number may seem shocking, it probably isn’t that far off from the truth.

Ensuring compliance in the field of your email marketing strategy can be particularly tricky, especially when it comes to opt-in strategies.

Pre-checked opt-in boxes (for example, when a person is attempting to order a product or create a log-in account) have become a big no-no in terms of GDPR compliance. You can no longer do that to collect email information and send newsletters in the future.

You have to collect explicit opt-in permissions from the people who visit your website. Consent should be freely given, otherwise, you cannot send newsletters or other forms of promotional emails. Let your audience decide whether they’d like to opt-in and start receiving emails from you. Relying on pre-ticked boxes is deceiving and ineffective anyway!

Provide Clear Explanation of What People Are Signing Up for

Apart from getting affirmative consent, you will also have to make sure people are informed about what they’re signing up for in order to ensure EU GDPR compliance.

You can accomplish the goal by featuring a few sentences next to each checkbox. The explanation should tell potential subscribers how their personal information is going to be utilized, what type of newsletter they’d be getting, and what’s the frequency of communication.

Get Consent from Existing Email Subscribers (If Necessary!)

In a survey carried out by Compose, 70 percent of small business owners said that email marketing was their biggest concern as far as GDPR compliance goes. Things are most challenging when it comes to the existing database and the management of data collected before the enforcement of GDPR.

You have to account for the date on which a person subscribed to your newsletter. If you don’t know what the date is, you will have to obtain explicit opt-in consent from the person who’s already on record in your existing newsletter database.

A simple campaign carried out via email will be sufficient to notify your existing subscribers of the changes and the need for consent renewal.

The Opt-Out Process

Under GDPR, you also have to make it effortless for subscribers to opt out of your mailing list.

The good news is that if you’re following the CAN-SPAM guidelines, you have already provided your subscribers with such an option. Nothing will have to change and you will still be GDPR-compliant.

If not, you will have to put an effective opt-out mechanism in place. Include a button in the bottom of each email that will transfer subscribers to the opt-out page. There, you can request some information about the need for an opt-out. You will be GDPR-compliant and you will get essential information that could improve the effectiveness of your marketing efforts in the future.

Posted on

GDPR: 10 Steps That Will Help Guide You Through The New E.U. Data Protection Framework

GDPR-Ten-Thins-To-Know-About-EU-
The new European data protection law, the General Data Protection Regulation ( GDPR ) comes into force on the 25th of May, 2018. The new framework poses considerable pressure on online and offline businesses of all sizes because it will strengthen the rules under which the personal data of European residents can be collected, stored, and disclosed. Despite its territorial scope, the GDPR will apply to organizations that do not have a physical presence in the European Union.

To guide you through the new E.U. data protection framework, we’ve provided you with a 10-step guideline that will allow you to better understand the formal requirements of the GDPR and the new personal data security standards.

1. Scope of the GDPR

Although the GDPR is a European legislation, it may apply to businesses located in other jurisdictions as well. More specifically, the GDPR applies to natural and legal persons that collect personal data and:

  • Are established in the E.U.;
  • Are not established in the E.U. but cooperate with data processors that are established in the E.U.; or
  • Are not established in the E.U. but collect personal data of E.U. residents or target them (e.g., offer them goods and services or monitor their behavior).
  • The GDPR will not be applicable if you are a natural person who accesses personal data in the course of a purely personal or household activity (e.g., browsing social media websites).

 2. Tracking personal data

The GDPR defines personal data as any information that allows you to identify a natural person. For instance, personal data may include personal names, physical addresses, email addresses, social security numbers, location data, genetic information, biometric data, health care data, and IP addresses.

The GDPR requires applying the principle of data minimization, meaning that you can collect and process only the amount of personal data that is required to provide the requested service.

In order to keep track of all of the personal data that you collect, store, access, share, and process online and offline, it is important to document such transactions for your own records. Also, in certain cases (e.g., if you employ more than 250 persons, collect personal data regularly, or target special categories of personal data) you may be obliged to maintain data processing records.  

It is important to note that the GDPR imposes stricter requirements (e.g., obtaining explicit consent) for special categories of personal data, such as a person’s racial or ethnic origin, political, religious, and philosophical opinions, trade union membership, genetic data, biometric data, healthcare data, and data concerning a natural person’s sex life or sexual orientation.

3. Collaboration with third parties

Under the GDPR, all third parties that have access to personal data collected by you, such as cloud storage providers, hosting providers, and newsletter providers, are considered to be data processors. The law stipulates that the relationship between you and data processors should be governed by data processing agreements, which should reflect (1) the types of personal data you provide access to, (2) the purposes of processing, (3) the duration of processing, (4) the applicable security measures, and (5) the mutual assistance in fulfilling your obligations under the GDPR.

If the third parties are located outside the EEA, you can disclose or transfer personal data only if certain conditions are met, including, but not limited to:

  • If the third party is established in the country that is “white-listed” by the E.U.;
  • If you conclude a contract with the third party on the basis of pre-approved contractual clauses or binding corporate rules;
  • If the data subject provides you with explicit consent to the disclosure or transfer of personal data; or
  • If the transfer is explicitly necessary for conclusion or performance of a contract.

 4. Consent

Consent for the collection and processing of personal data is one of the legal grounds for lawful data processing under the GDPR. To be valid, the consent should be prior, explicit, informed, and freely given (pre-ticked boxes are not allowed). The deviation from obtaining consent is permitted if the personal data is necessary for performing a contract with the data subject (e.g., booking an appointment, providing the requested service, or delivering a product), pursuing legitimate business interests, and in some other exceptional circumstances.

5. Data protection and storage

Under the GDPR, personal data can be retained only as long as its storage is necessary for the purpose for which the personal data was collected. Afterwards, the personal data should be deleted. Only in certain cases, when the storage of personal data is required by the applicable law (e.g., for accountancy purposes), businesses are allowed to retain personal data in order to comply with their legal obligations.

To protect personal data, appropriate organizational and technical security measures have to be taken (e.g., limited access to personal data by employees, anonymization, secured networks, and encryption) and you have to ensure that the data processors with whom you cooperate have also put equivalent security measures in place.

6. Data subjects’ rights

The GDPR provides data subjects with a number of rights with regard to their personal data. Indicate in your privacy policy those rights, and give instructions on how data subjects can exercise them. Such rights include:

  • The right to access personal data (e.g., getting a list of personal data you store about the data subject);
  • The right to correct personal data (e.g., change of contact details);
  • The right to erase personal data and object to profiling (i.e., “right to be forgotten”);
  • The right to restrict the processing of personal data;
  • The right to ask a data controller to provide another data controller with a list of personal data related to the data subject; and]
  • The right to launch a complaint about the handling of personal data.

7. Identification and transparency

Give your privacy policy the highest level of transparency. List clearly the types of personal data you collect, the purposes of collection, the grounds for processing, third parties that have access to personal data, and all your policies and procedures governing collection, storage, and the processing of personal data.  

Also, indicate your contact details clearly in your privacy policy, including the email and post addresses that can be used by data subjects to contact you with regard to personal data. Also, mention the timeframe in which you will respond to the data subject’s inquiries.

8. Children

The GDPR prohibits the collection and processing of children’s personal data without obtaining a parental or guardian consent in advance. In order to comply with this requirement, consider putting systems in place to verify individuals’ ages and to obtain the requested consent. Also, provide parents or guardians with the opportunity to request the erasure of children’s personal data that has been obtained without their consent.

9. Data breaches

The GDPR puts in place strict guidelines for reporting security breaches that affect personal data. In a nutshell, you have to inform the supervisory authority within 72 hours from the moment you become aware of a breach, and then provide details about the affected personal data. Should a data breach occur in data processors’ systems, the data processors have to immediately notify you. Make sure that you have the right procedures in place to detect, report, and investigate a data breach.

10. Data Protection Officer (DPO)

You can voluntarily appoint a DPO as a person who will assist you in complying with the GDPR, as well as tracking and documenting the transactions involving personal data within your organization. The GDPR explicitly requires appointing a DPO if:

  • Your business relies mainly on processing of personal data on a large scale;
  • You process special categories of personal data on a large scale.
  • The processing of personal data may cause a threat to rights and freedoms of data subjects; or
  • You are a public body or authority.
Posted on

Is Encryption a Mandatory Part of GDPR Compliance?

Is Encryption a Mandatory Part of GDPR Compliance?

Website encryption guarantees a high level of security for visitors, which is why the number of websites featuring security certificates is on the rise. According to a Mozilla report, the volume of encrypted traffic already surpasses unencrypted traffic. Other reports predict that approximately 75 percent of web traffic will be encrypted by 2019.

While the benefits of data encryption are easy to understand, is there a legal requirement for websites to feature a security certificate? Does the new General Data Protection Regulation (GDPR) mandate such a change?  The use of a security certificate is definitely beneficial, but there’s currently no encryption law that necessitates the change.

Is SSL Certification Needed to Be GDPR-Compliant?

The SSL certificate adds a layer of protection to a website, increasing privacy and giving visitors peace of mind. The padlock symbol in the address bar shows whether a website is encrypted.

Under GDPR, data encryption is recommended, but not mandatory. In fact, the term encryption is not featured in the lengthy document much.

GDPR suggests the introduction of safety measures like encryption and various others (the words used are “may be introduced” and “optional”). Encryption is only one suggestion, and while it is presented as a good choice, there are no statements that make it mandatory

The Lack of Encryption and Data Breaches

While there are currently no encryption laws that mandate the purchase of a certificate, website owners are expected to do everything in their power to prevent eventual data leaks, website hacking, and breaches.

If a data breach occurs and the data of EU citizens get affected, the website owner will have to answer questions about the security safeguards in place. Questions about the encryption of personal and sensitive information may also arise.

Would the lack of encryption be perceived as a negative thing? Most likely! Are there any requirements under the new GDPR policies for the purchase and the integration of the SSL certificate? Such provisions do not exist at the time being.

The General Data Protection Regulation is concerned with ensuring the safety of personal data. Thus, you should work hard towards guaranteeing eprivacy in every possible way. While data breaches are often inevitable, there are things to do for the purpose of minimizing the risk.

A few of the best options (other than website encryption) include the following:

  • Make sure that the system and all software will get upgrades on a regular basis
  • Refrain from using default passwords and usernames
  • Keep track of devices to make sure none are lost or stolen
  • Limit the number of people who have admin rights and access to sensitive information (human error is still one of the most profound contributing factors to data breaches)
  • Reduce data transfers
  • Make sure that all employees who do website work undergo data security training

Getting Your Website Encrypted Is a Good Idea

While GDPR does not make website encryption mandatory, this is a good option you should consider for your online platform.

There are different kinds of security certificates, and their features will determine the cost. Many hosting companies will also provide a free SSL certificate as a part of the service package their clients receive. This is a possibility to consider but for the purpose, talk to a developer or a data security specialist. Encryption certificates are not created equal, and some may not be worth getting.

The things that you do to guarantee the security of your website’s visitors will have an impact on your reputation. Do a bit of research and consider all possibilities carefully before turning down one option or the other.

Posted on

Four Reasons to Have a Non-Disclosure Agreement with Your Clients

Business Contracts

Four Reasons to Have a Non-Disclosure Agreement with Your Clients

Being an entrepreneur and growing your business will necessitate a lot of hard work and strategic thought. Protecting new concepts, ideas, and business development models will be of utmost importance when it comes to maintaining your competitive advantage. In such instances, a non-disclosure agreement can come in handy.

NDAs are typically created to protect confidential information. A mutual non-disclosure agreement will protect both parties involved. While certain business interactions don’t necessitate the use of NDAs, such documents will provide amazing benefits in other instances.

Preventing Information Disclosure to Third Parties

This is the essence of non-disclosure agreement laws – preventing the unauthorized disclosure of information то third parties.

Imagine a situation in which you’re presenting an idea or showing an invention to a potential business partner or customer. In such instances, you want to convey something important about your business without getting the respective idea stolen.

The NDA will oblige the potential client or business partner to keep the information under wraps. Thus, you can demonstrate your biggest strengths without feeling concerned about a potential information leak.

Ensuring the Provision of Quality Services Without Risks

Occasionally, you will interact with partners and third parties tasked with providing services. To accomplish such a goal, they may need access to sensitive data like financial information about your business, inventory, employee data or marketing data.

Such data should not be disseminated outside the organization and you should definitely consider a non-disclosure agreement in such instances.

Providing Information about the Licensing of Specific Technologies

When the sale or product licensing prospect is on the table, you will once again have to think about protecting your business in the worst-case scenario.

The information exchanged with a potential customer in such situations can easily be used by them to gain leverage in the negotiations with other service providers. As a result, you are not going to be competitive on the respective market.

Licensing and sale discussions usually involve the presentation of financial data, facts and figures. Obviously, you don’t want such information circulating freely and you should get that NDA before the talks begin.

In the Event of Selling Your Business

Non-disclosure agreements will also come in handy whenever you’re considering the sale of the entire business.

When selling your business, you will have to present a lot of sensitive data in order to entice a potential buyer into making an offer. At the same time, such data will put you at a massive disadvantage if it gets out there.

It will be difficult to assess who is a serious potential buyer right from the start and who’s there just to gather a bit of intelligence. Non-disclosure agreements are imperative because you’re otherwise left vulnerable. There’s a reason why large companies make NDAs a standard part of the merger and acquisition process.

The Quality of the NDA Matters

In order to offer reliable protection, a non-disclosure agreement should be drafted professionally. Adherence to non-disclosure agreement laws and personalization will both be required to address potential risks and ensure comprehensive sensitive data protection.

Working with a legal professional is imperative in such instances. An attorney will also know how to handle the process of negotiating when it comes to signing a mutual non-disclosure agreement or a privacy agreement with a potential business partner.

Posted on

Is Your Website Ready for the GDPR?

GDPR Website Compliance

Is Your Website Ready for the GDPR?

Is your website ready for the enforcement of GDPR on May 25, 2018? The General Data Protection Regulation is designed to make digital privacy laws across Europe uniform, and compliance failures could potentially contribute to hefty fines.

Website content management and e-privacy policies are heavily affected by the new GDPR regulations. Here are a few of the things you will have to do to make sure your website is ready for the GDPR.

GDPR Provisions for Websites

Many websites require private data and permissions from visitors in order to function properly or provide relevant content. The GDPR will change the manner in which such website visitor information is being collected.

The new European regulations give internet users full control over their data and their eprivacy. Clear, easy to understand, and optional opt-in/out policies have to be implemented as a result of the new EU digital privacy laws.

Some of the most important ways in which GDPR compliance can be ensured include the following:

  • Active opt-in forms that enable the visitor to either subscribe or unsubscribe effortlessly
  • The addition of data encryption
  • The creation of a strong privacy policy/privacy statement
  • The provision of legal justification for personal and sensitive data processing
  • Allowing the deletion of customer/website subscriber information
  • The provision of easy opt out or withdrawal of permission

What to Do in Order to Ensure GDPR Compliance

The summary above gives you some idea about the website changes that will have to occur in order to ensure GDPR compliance. Let’s take a deeper look at the actual steps involved in making these changes happen.

The first and the easiest thing to do is to modify and augment your digital privacy and information handling policies. Luckily, the Information Commissioner’s Office has published detailed guidelines and examples of how a privacy notice is to be written. To be on the safe side, you should also consult an experienced attorney that will help you craft an effective document that is GDPR-compliant.

Cookie policies are also to be thoroughly outlined in the notice!

Next, consider getting an SSL certificate that adds a layer of encryption and helps you ensure the safety of sensitive data. It’s easy to see whether a website has SSL certification. The certificate “unlocks” the little padlock symbol that appears in the address bar before the URL.

Changing all website forms is another very important part of ensuring compliance.

Based on GDPR requirements, website forms can no longer feature pre-ticked boxes (you probably have seen pre-ticked boxes for newsletter subscriptions or for the sending of marketing information to new website members).

The aim of the GDPR is to enable websites to provide specific consent options for every potential interaction with the website. Pre-ticked boxes take away some of that freedom.

Specific consent is also needed for sharing user information with third-party service providers. In addition, consent should be easy and effortless to withdraw. Website owners should make sure that their visitors and subscribers know they can withdraw consent at any time and they should also outline the consent withdrawal procedure that is to be followed.

A few other things to address include IP tracking, the use of personal data for re-marketing, and the manner in which data breaches are going to be reported and addressed.

GDPR aims to ensure transparency and simplicity as far as e-privacy is concerned. This means that every policy and term and condition on the website will have to be revisited and rewritten. Don’t hesitate to introduce these changes – as already mentioned, compliance failures could have serious consequences.

Posted on

Privacy Notices Under GDPR: How to Draft a Compliant Statement

Privacy Policy Compliance

Privacy Notices Under GDPR: How to Draft a Compliant Statement

The deadline for the enforcement of the new General Data Protection Regulation (GDPR) is fast approaching and many businesses are still unprepared to address new privacy concerns and requirements.

GPDR changes are going to have the most profound effect on privacy policies and notices. The GDPR privacy notice has a couple of specifics that make it different from previous versions of the document. Currently, a privacy notice template is made available by the Information Commissioner’s Office. This is one of the official sources of information you can rely on to ensure compliance. Other privacy notice forms you find online could potentially be outdated, which will lead to a GDPR compliance failure.

What Does a GDPR Privacy Notice Have to Feature?

The aim of GDPR is to give internet users and website visitors full control over the manner in which their personal data is being used. The rights of website visitors, customers, and subscribers should be presented in a comprehensive privacy notice.

The privacy notice is a public statement that focuses on how personal and sensitive data protection principles will be applied in reference to the website’s functioning.

According to articles 12, 13 and 14 of the GDPR, a website’s privacy policy should be:

  • Concise and written in a language that’s easy to understand
  • Transparent and readily accessible on the website
  • Free of charge
  • Written so that a child could understand the information contained in it

There are numerous important questions that website privacy terms and conditions have to address in order to ensure GDPR compliance. A few of these key issues include:

  • Information about the entity that is collecting data and how this data is going to be used
  • What is the legal basis for the collection and the processing of personal or sensitive information
  • Is the information going to be shared with third parties, how and why
  • The amount of time during which personal and sensitive data is going to be stored
  • The rights of the individuals who share their sensitive data with the entity
  • The manner in which a complaint can be filed
  • The manner in which website visitors can consent or withdraw consent to data collection

Drafting a GDPR-Compliant Privacy Policy

Most often, privacy notices are copy-pasted or filled with jargon to the point that they become completely illegible.

If your privacy notice isn’t simple, straightforward and well-written, you will have to rework it.

All manners in which personal data is going to be collected and used will have to be outlined. This means that if you use third-party products on the website (Google Analytics, email newsletter software) that require visitor information, your visitors should be informed.

A generic privacy policy is no longer going to cut it. It has to be specific and it has to provide details about the entity behind the website, the purpose of the website, data collection practices and the numerous ways in which such information is going to be used to enhance the visitor’s experience.

Official privacy notice templates can be quite helpful when attempting to draft a brand new document. In the absence of legal knowledge or experience, however, you may want to seek professional assistance. There are fines and penalties for compliance failures, which is why you can’t leave the drafting of your privacy notice to chance.

Posted on

All About Intellectual Property: The Differences Between Copyrights, Trademarks, Patents, and Trade Secrets

Trademark-Copyrights-Patents

In the age of current technology, inventions, and ideas, protection for intellectual property has become quite common in our society. The four types of intellectual property- copyrights, trademarks, patents, and trade secrets– are often heard in everyday conversation. But how do we differentiate between these four protections?  This blog is to act as a guide in explaining the basics of intellectual property.

Copyrights: 

Copyright protection is available for original works of authorship that are fixed in a tangible form, whether published or unpublished. The categories of work that can be protected include paintings, literary works, live performances, photographs, movies, and software. It is important to understand that copyright law covers the “form of material expression,” and not the actual concepts, ideas, techniques, or facts in a particular work, hence why it must be in tangible form.

Trademarks:

Trademark protection is available for certain names, symbols, devices, or words that will be used in connection with a good or service. The purpose behind trademarks is to allow companies and individuals to indicate the source of their goods or services and to distinguish them from others in the industry. A trademark not only gives the owner the exclusive right to use the mark but also allows the owner to prevent others from using a similar mark that may be confusing to the general public. It does not, however, prevent others from making or selling the same good or service.

Patents: 

​A patent is a right granted to an inventor that permits that inventor to exclude others from making, selling, or using his or her invention for a period of time. For an invention to qualify for a patent, it must be both “novel” and “non-obvious.” An invention is novel if it is different from other similar inventions in one or more of its parts. It also must not have been publicly used, sold, or patented by another inventor within a year of the date that the patent application is filed. As for the second qualification, an invention is non-obvious if someone who is skilled in the relevant field of the invention would consider its development to be unexpected or surprising.

Trade Secrets: 

Trade secrets consist of information, including formulas, patterns, compilations, programs, devices, methods, techniques, or processes. To meet the definition of a trade secret, the information must be used in business, and grant the user an opportunity to obtain an economic advantage over competitors who do not know of it or use it. This protection is fairly limited, as a trade secret holder is only protected from unauthorized disclosure and use. If a trade secret holder fails to maintain secrecy or if the information is independently discovered, becomes released, or otherwise becomes generally known, protection as a trade secret is lost. However, trade secrets do not expire, so protection continues until discovery or loss.

If you have additional questions, or if you are looking to protect your ideas, products, or business, you should contact an experienced intellectual property attorney.